CVE-2025-56400

HIGH

Tuya Smartlife < 6.5.0 - CSRF

Title source: rule

Description

Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms.

References (2)

[Broken Link] http://tuya.com

[Vendor Advisory] https://src.tuya.com/announcement/30

Scores

CVSS v3 8.8

EPSS 0.0002

EPSS Percentile 4.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-352 CWE-384

Status published

Products (4)

tuya/smartlife 6.3.1

tuya/smartlife 6.3.4

tuya/tuya < 6.5.0 (2 CPE variants)

tuya/tuya_smart 6.3.1 (2 CPE variants)

Published Nov 24, 2025

Tracked Since Feb 18, 2026